Re: FreeRADIUS + 802.1X wireless rollout questions
Alan DeKok wrote: Walter Gould wrote: Here's where my concerns lie - I am concerned about how many simultaneous authentication requests that a single Freeradius server can handle. I have read the Testimonials and the Why we're #1 pages on the freeradius site - which says there are numerous sites using freeradius to support more than 10,000 or 20,000 users. And, sites with 15,000,000 users. Our school currently has around 21,000 students on our campus. Of that 21,000 - there is usually around 1000 users logged into our wireless network at any given time, however, that number continually increases. The authentication load on the server is relatively easy to calculate. If you have N users on, each with an average session time of S seconds, the load on the system will be N/S. e.g. 1K users, 20 minute session time (1200s) is about 1 auth/s. That is very little load... With EAP, there are multiple packet per user authentication, and SSL setup overhead. See raddb/certs/README. Interaction with Active Directory adds even more overhead. But a 2Gh machine should be fine. As was pointed out, you'll need a second machine for failover before the first one is at all busy. Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? The default configuration should be pretty much fine. 3. Any other advice/suggestions you have or think of would be welcome and appreciated. Test the system to prove for yourself that the above numbers are true. Use eapol_test from wpa_supplicant on client machines to hammer the server with test authentications. That will give you a *measured* number for server performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan D. and Alan B., Thanks for both of your inputs and suggestions. I appreciate them. They have given me some good direction for testing and measuring performance. Thanks again, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1X wireless rollout questions
Walter Gould wrote: Here's where my concerns lie - I am concerned about how many simultaneous authentication requests that a single Freeradius server can handle. I have read the Testimonials and the Why we're #1 pages on the freeradius site - which says there are numerous sites using freeradius to support more than 10,000 or 20,000 users. And, sites with 15,000,000 users. Our school currently has around 21,000 students on our campus. Of that 21,000 - there is usually around 1000 users logged into our wireless network at any given time, however, that number continually increases. The authentication load on the server is relatively easy to calculate. If you have N users on, each with an average session time of S seconds, the load on the system will be N/S. e.g. 1K users, 20 minute session time (1200s) is about 1 auth/s. That is very little load... With EAP, there are multiple packet per user authentication, and SSL setup overhead. See raddb/certs/README. Interaction with Active Directory adds even more overhead. But a 2Gh machine should be fine. As was pointed out, you'll need a second machine for failover before the first one is at all busy. Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? The default configuration should be pretty much fine. 3. Any other advice/suggestions you have or think of would be welcome and appreciated. Test the system to prove for yourself that the above numbers are true. Use eapol_test from wpa_supplicant on client machines to hammer the server with test authentications. That will give you a *measured* number for server performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + 802.1X wireless rollout questions
List, Our institution (a 4 yr. state college) is planning on implementing a 802.1X wireless network in the coming months. We have a test network in place now and all seems to be working well. We have two FreeRADIUS servers. We followed the FreeRADIUS Active Directory Integration HOWTO http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO from the wiki to get freeradius talking with our centrally managed AD servers for authentication. We are using freeradius version 2.0.3. The primary server specs are: Intel 2GHz Xeon QC, 2GB installed RAM. The secondary is currently running on a vm. I hope to purchase a piece of hardware similar to the one above to run this on in the near future. Here's where my concerns lie - I am concerned about how many simultaneous authentication requests that a single Freeradius server can handle. I have read the Testimonials and the Why we're #1 pages on the freeradius site - which says there are numerous sites using freeradius to support more than 10,000 or 20,000 users. Our school currently has around 21,000 students on our campus. Of that 21,000 - there is usually around 1000 users logged into our wireless network at any given time, however, that number continually increases. Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? 3. Any other advice/suggestions you have or think of would be welcome and appreciated. Thanks, Walter -- Walter Gould Info. Tech. Specialist Office of Information Technology Auburn University, AL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1X wireless rollout questions
Hi, Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? we currently deal with 600 concurrent wireless users and 5000 concurrent wired users. the FR shows no sign of stress (after initial tweaks) 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? you may need to adjust number of threads. but you biggest issue in FR is the lookup of any extrnal data - be that the AD, an SQL system etc 3. Any other advice/suggestions you have or think of would be welcome and appreciated. when you move to 802.1X the RADIUS is your no.1 weak point. ensure you have failover alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html